Agency server attacked in largest hacker-related HIPAA breach

In one of the largest HIPAA breaches ever reported, the Montana Department of Public Health and Human Services is notifying some 1.3 million people after hackers gained unfettered access to an agency server for nearly a year before being discovered.

Hackers likely first gained access to the server as far back as July 2013, according to DPHHS officials, but the breach was only discovered on May 15, 2014. An independently conducted investigation confirmed May 22 the server had been accessed by outsiders.

Data compromised included client, employee and contractors' names, addresses, dates of birth, Social Security numbers, clinical and medical data, and dates of service. DPHHS employee bank account and payroll information was also held on the server, officials said.

This is the fifth biggest HIPAA breach ever reported, according to data from the Department of Health and Human Services, and the largest hacking-related HIPAA breach to date.

"We apologize for the stress this announcement is going to cause," said Richard H. Opper, director of the DPHHS, in a prepared statement. "DPHHS is committed to answering questions clients and employees may have and to help them to take advantage of the services we are offering." DPHHS will be providing affected clients with credit monitoring services.

Just this February, hackers also targeted and gained access to a server of the five-hospital St. Joseph Health System in Bryan, Texas, compromising the protected health information of some 405,000 individuals. The hackers had access to the server for three days before being discovered.